diff --git a/impacket/dcerpc/v5/nrpc.py b/impacket/dcerpc/v5/nrpc.py index e2c3225d27..666f4c85ad 100644 --- a/impacket/dcerpc/v5/nrpc.py +++ b/impacket/dcerpc/v5/nrpc.py @@ -337,6 +337,13 @@ class PNETLOGON_WORKSTATION_INFO(NDRPOINTER): ) # 2.2.1.3.7 NL_TRUST_PASSWORD +class NL_TRUST_PASSWORD_FIXED_ARRAY(NDRUniFixedArray): + def getDataLen(self, data, offset=0): + return 512+4 + + def getAlignment(self): + return 1 + class WCHAR_ARRAY(NDRUniFixedArray): def getDataLen(self, data, offset=0): return 512 @@ -2098,7 +2105,8 @@ class NetrServerPasswordSet2(NDRCALL): ('SecureChannelType',NETLOGON_SECURE_CHANNEL_TYPE), ('ComputerName',WSTR), ('Authenticator',NETLOGON_AUTHENTICATOR), - ('ClearNewPassword',NL_TRUST_PASSWORD), + #('ClearNewPassword',NL_TRUST_PASSWORD), + ('ClearNewPassword',NL_TRUST_PASSWORD_FIXED_ARRAY), ) class NetrServerPasswordSet2Response(NDRCALL): @@ -2786,14 +2794,14 @@ def hNetrServerTrustPasswordsGet(dce, trustedDcName, accountName, secureChannelT request['Authenticator'] = authenticator return dce.request(request) -def hNetrServerPasswordSet2(dce, primaryName, accountName, secureChannelType, computerName, authenticator, clearNewPassword): +def hNetrServerPasswordSet2(dce, primaryName, accountName, secureChannelType, computerName, authenticator, clearNewPasswordBlob): request = NetrServerPasswordSet2() request['PrimaryName'] = checkNullString(primaryName) request['AccountName'] = checkNullString(accountName) request['SecureChannelType'] = secureChannelType request['ComputerName'] = checkNullString(computerName) request['Authenticator'] = authenticator - request['ClearNewPassword'] = clearNewPassword + request['ClearNewPassword'] = clearNewPasswordBlob return dce.request(request) def hNetrLogonGetDomainInfo(dce, serverName, computerName, authenticator, returnAuthenticator=0, level=1): diff --git a/tests/SMB_RPC/test_nrpc.py b/tests/SMB_RPC/test_nrpc.py index 19bad96bb9..d9eaaf2a87 100644 --- a/tests/SMB_RPC/test_nrpc.py +++ b/tests/SMB_RPC/test_nrpc.py @@ -520,11 +520,17 @@ def test_NetrServerPasswordSet2(self): request['SecureChannelType'] = nrpc.NETLOGON_SECURE_CHANNEL_TYPE.WorkstationSecureChannel request['ComputerName'] = self.serverName + '\x00' request['Authenticator'] = self.update_authenticator() - request['ClearNewPassword'] = nrpc.NL_TRUST_PASSWORD() - request['ClearNewPassword']['Buffer'] = b'\x00' *512 - request['ClearNewPassword']['Length'] = 0x8 + cnp = nrpc.NL_TRUST_PASSWORD() + cnp['Buffer'] = b'\x00'*512 + cnp['Length'] = 0x8 + + request['ClearNewPassword'] = cnp.getData() + #request['ClearNewPassword'] = nrpc.NL_TRUST_PASSWORD() + #request['ClearNewPassword']['Buffer'] = b'\x00' *512 + #request['ClearNewPassword']['Length'] = 0x8 try: + request.dump() resp = dce.request(request) resp.dump() except Exception as e: @@ -541,7 +547,7 @@ def test_hNetrServerPasswordSet2(self): try: resp = nrpc.hNetrServerPasswordSet2(dce, NULL, self.machineUser, nrpc.NETLOGON_SECURE_CHANNEL_TYPE.WorkstationSecureChannel, - self.serverName, self.update_authenticator(), cnp) + self.serverName, self.update_authenticator(), cnp.getData()) resp.dump() except Exception as e: if str(e).find('STATUS_ACCESS_DENIED') < 0: